By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

House panels move to discern better voting machine defenses

THE OTHER KIND OF MACHINE LEARNING— Two House Oversight subcommittees will hold a joint hearing this afternoon on the digital defenses protecting voting machines, the first hearing since the 2016 elections focused explicitly on the devices themselves.

Advertisement

“Like anything else in the digital age, electronic voting is vulnerable to hacking,” Rep. Will Hurd, chairman of the Information Technology Subcommittee, is expected to say in his prepared opening statement. “It is essential that states take appropriate steps to secure their voting infrastructure.” He will add: “Just because Russia did not tamper with ballots or reporting of election results during the last election, it doesn’t mean they or other adversaries won’t try to do so in the next election, or the election after that.”

Rep. Robin Kelly, the top Democrat on Hurd’s panel, will advocate for specific upgrades. “Updating our voting machines to auditable, paper-based machines, such as optical scanners, is a step we need to take right now,” she’ll prescribe in her prepared opening remarks. “Our election infrastructure is broad and contain numerous vulnerabilities. If we are going to withstand a coordinated attack, we need a coordinated defense.”

Lawmakers have offered a raft of proposals that would make progress on Kelly’s suggestions, but Capitol Hill has yet to move on any legislative offering. The inaction has election security specialists worried that Election Day 2018 may arrive before the country has bolstered its digital defenses. And it may already be too late for some critical targets, as Martin recently reported. By this point during the 2016 election cycle, Russian hackers had already been in the Democratic National Committee’s networks for at least three months.

At today’s hearing, one of the leaders of the Homeland Security Department’s efforts to strengthen election security, Christopher Krebs, is scheduled to testify, as are two top state officials — Louisiana Secretary of State Tom Schedler and Virginia Department of Elections Commissioner Edgardo Cortes. And there are two more witnesses — computer science professor Matthew Blaze and Susan Hennessey, a Brookings Institution fellow.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Your MC host is living in that world of “having a cold” where you have to decide whether you’d rather feel miserable, or groggy and drowsy from medication. Send your thoughts, feedback and especially tips to [email protected] and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info below.

TODAY: EDUCATION ENCRYPTION BILL DROPS— Sen. Ron Wyden and Rep. Duncan Hunter are introducing education legislation in both chambers today that would aim to set up a more secure higher education data system. The ultimate goal of the bill is to provide would-be students with information about schools’ debt level, graduation rates and other data, without harming privacy. A provision within the proposal would require that the system employ what’s known as “secure multi-party computation.” The protective measure is a form of encryption that allows owners of sensitive data to link, calculate and aggregate that data without revealing private information.

“This legislation marks a sea change in the continuing conflict between personal privacy and public good,” said David Archer, principal research scientist at Galois, a computer science firm. “The technology mandated here assures two things: that public policies affecting real people can be decided based on factual data about them, and that the privacy of those facts is provably preserved.”

YAHOO BREACH SUSPECT PLEADS GUILTY— A Canadian national pleaded guilty Tuesday to charges of computer hacking and other offenses related to the massive Yahoo data breach. Karim Baratov was charged alongside two officers of the Russian spy agency FSB for running a scheme to infiltrate Yahoo’s networks beginning in 2014. Baratov’s role in the conspiracy was to hack individual accounts and provide the FSB officers access to them in exchange for money, according to his plea agreement. “This case is a prime example of the hybrid cyber threat we’re facing, in which nation states work with criminal hackers to carry out malicious activities,” said Executive Assistant Director Paul Abbate of the FBI’s Criminal, Cyber, Response and Services Branch.

LOCATION, LOCATION, LOCATION — Per our friends at Morning Tech: It’s a busy tech week at the Supreme Court, where the justices are due to review a case today examining whether the federal government can access an individual’s cellphone location information sans a warrant. At issue in the court’s review of Carpenter v. U.S. this morning is whether the information that’s stored on cellphones is also protected by the Fourth Amendment’s shield against “unreasonable search and seizure.” In the past, the legal standard that’s been established indicates that data that’s been shared with a phone company, beyond the “content” of phone calls, was not considered private. The rise of cellphones and the massive amount of data they contain outside of calls may have changed this expectation. We’re tracking.

Wyden, in remarks at the Center for Democracy and Technology on Tuesday, argued that requiring a warrant for searching cellphone location data is vital for protecting Americans from surveillance overreach. “We need the courts and Congress to step up and make sure that our constitutional rights don’t disappear simply because technology makes it practically effortless to violate them,” he said. “My view is that everyone will be better off with a clear standard that says the government needs a warrant to track an American’s location.”

TILLERSON TOUTS CLOUD MIGRATION — The State Department must move its IT systems to the cloud because the agency’s aging computer networks present a security threat, Secretary Rex Tillerson said Tuesday. “We have a really antiquated IT system,” Tillerson said during a speech at the Wilson Center in Washington. He recounted visiting the department’s administrative staff and asking them what their most urgent request was. “They said, ‘Get us into the cloud,’” Tillerson recalled. “I looked at them. I said, ‘What do you mean? We’re not in the cloud?’ And they said, ‘No, no. We’re still on all these servers.’” Tillerson said the IT staff described the current setup as “a big cyber risk.” He also said that once he received his work computer, he began “realizing just how cumbersome” the current system was.

The White House Office of American Innovation has made IT modernization a top priority, with one major element of the push being cloud migration. But despite what Tillerson suggested, cloud services carry cyber risks of their own, as recent Amazon data leaks have shown.

UBER LAWSUITS PILE UP — Washington on Tuesday became the first state to sue Uber, accusing the ride-sharing giant of “thousands of violations” of the state’s data breach notification law in the 2016 incident that exposed the personal information of 57 million users. According to a 2015 state measure, consumers must be notified within 45 days of a breach and the Attorney General’s Office must be notified within 45 days if the breach affects 500 or more Washingtonians.

The intrusion at Uber occurred late last year and the company paid the hackers $100,000 to buy their silence. “Washington law is clear: When a data breach puts people at risk, businesses must inform them,” Washington Attorney General Bob Ferguson said in a statement. “Uber’s conduct has been truly stunning. There is no excuse for keeping this information from consumers.” On Monday, the city of Chicago also filed a lawsuit against Uber for failing to disclose the massive breach.

FEDS HITTING DHS DEADLINES— Every federal civilian agency has developed a plan to remove Russia-based Kaspersky Lab’s software from its systems, a DHS official confirmed to MC. And every agency met the Nov. 19 deadline to do so, as Nextgov first reported. It’s the second of a three-part phase, the first of which was identifying which agencies had Kaspersky software on their networks.

The official also confirmed a Nextgov report that all major federal agencies will be connected by February to a government-wide cybersecurity dashboard that feeds digital insights to DHS and helps the agency better identify what software is running in federal IT systems.

The first project will help organizations determine which assets need protection and identify the best way to protect them, including “backups, secure storage, integrity checking mechanisms, audit logs, vulnerability management, maintenance, and other potential solutions.” The second project will help organizations contain the damage from ransomware attacks and resuscitate systems affected by them. Both projects will lead to “practice guides” that organizations can apply to their own IT environments. NIST is accepting public comments on both drafts until Dec. 12.

BIG CYBER — NATO this week is holding its largest cyber defense exercise to date, the alliance announced Tuesday. The three-day event — dubbed Cyber Coalition — is managed from the a NATO center in Estonia and features more than 700 participants from 25 alliance members, as well as NATO partner countries and the European Union. The 10th annual exercise is designed test and train cyber experts from across the alliance on their ability to defend NATO and national networks, as well as boost coordination among countries in the event of a digital attack.

RECENTLY ON PRO CYBERSECURITY— “The U.S. Army and NSA accidentally leaked highly sensitive files from a joint intelligence project, according to new research.” … Rep. Ted Lieu is seeking an FBI briefing for lawmakers about why the bureau didn’t notify U.S. officials they were targeted by Russian hackers. … The Independent Community Bankers of America is suing Equifax for compensation related to the credit bureau’s data breach. … Facebook and Twitter plan to respond soon to calls from the U.K. Parliament for evidence of Russian interference in British politics.

— “A Chinese internet security firm that researchers say is behind sophisticated attacks on Western energy and defense companies disbanded this month amid U.S. accusations that some of its shareholders were involved in hacking and theft of trade secrets.” The Wall Street Journal.

— PandaLabs is releasing its annual report, which includes the finding that the company detected an average of 285,000 new, distinct malware samples every day from the beginning of the year through October.

— More than 90 percent of firms failed to patch software that led to the Equifax hack, Veracode found. The Hill.

Follow us on Twitter

Follow Us

About The Author : Tim Starks

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.